By Danny Jung
Open source has driven the growth of many open firewall distributions, such as pfSense, OPNsense, IPFire, and others. These are often used by small and medium businesses, as most of them are available as free versions. These distributions are mostly developed by small teams of developers, only paid by user donations (IPFire) or are actively looking for contributions (OPNsense). Big businesses in the enterprise security market have not noticeably adopted open source firewalls yet as these businesses rely on contractually guaranteed response times, manufacturer support, timely security updates and hotfixes, comprehensive security event views and reports, cloud support, API integration, centralized security management, multitenancy and many other advanced features. Interestingly all leading enterprise firewall distributions run their proprietary firewall software on open source Linux. So let’s have a closer look at their open source relationship.
The Power of Linux: Leading Enterprise Firewalls
The world of enterprise firewall security is dominated by three market-leading manufacturers: Check Point, Fortinet, and Palo Alto Networks. Acknowledged and independent technological research and consulting firms, such as Gartner Inc. and Forrester Research Inc., publish annual results about their research studies, including an infographic about market leaders, competitors, niche players, and visionaries. The three leading enterprise firewall security vendors kept their position for many years and they all run on Linux, an open source operating system.
A Closer Look Onto the Firewalls’ Linux Operating Systems
| Firewall Vendor | Operating System | Kernel |
| Check Point | Gaia OS | Linux |
| Fortinet | FortiOS | Linux |
| Palo Alto Networks | PAN-OS | Linux |
Check Point: From Software to Linux-based Systems
Check Point started in 1993 as a pure firewall software vendor supporting many operating systems, such as Microsoft Windows, Sun Solaris, and Red Hat Enterprise Linux. To fulfill the market’s growing demand for appliances in the early 2000s, Check Point had to build and support a firewall system consisting of hardware, OS, and firewall software. They customized and hardened a Red Hat Enterprise Linux for the OS, which they later named Check Point Gaia OS. Because of the success of being able to provide support for both the OS and the firewall software, as well as being able to maintain a single installation image and release software updates for the entire firewall system, they decided to drop support for all other OS’s. So, Linux has been a true success story for Check Point.
To verify which Linux kernel your Check Point installation is running on, in expert mode, run:
# cat /etc/cp-release; uname -a
Check Point Gaia R81.20
Linux version 3.10.0-1160.15.2cpx86_64 #1 SMP IST 2024 x86_64 GNU/LinuxFortinet: ASIC-Accelerated Security on Linux
Fortinet released its first product, a physical firewall appliance, in 2002. Fortinet is known for its ASIC-based firewall security acceleration. FortiOS is a Linux-based operating system used in Fortinet’s physical and virtual appliances.
To verify which Linux kernel your FortiOS is running on, execute this CLI command:
# get system status
Version: FortiGate v7.2.6
# fnsysctl cat /proc/version
Linux version 3.10.15 (root@build) (gcc version 10.3.0 (GCC) ) #2 SMP Tue Sep 26 18:22:56 UTC 2023Palo Alto Networks: Linux-Powered Firewall Evolution
Palo Alto Networks released its first product, an enterprise firewall appliance, in 2007. PAN-OS is a Linux-based operating system used in Palo Alto Networks’ appliances.
To verify which Linux kernel your PAN-OS is running on, view their Open Source listing.
Why Leading Firewall Vendors Choose Linux
The Linux operating system is open source, which allows security vendors to customize and harden it according to their needs. This enables them to offer customers a highly reliable firewall operating system with enhanced security features. As a result, customers no longer need to manage the operating system of their firewall, as this task is handled automatically with the installation and maintenance of the firewall software.
Firewall vendor support includes both the operating system and the firewall setup. Even when customers were able to decide on a firewall operating system, most went for a Linux-based one as they knew the platform and command structure from many other Linux-based IT systems. That means there has been trust in Linux right from the beginning of IT security, which continues to today.
Open Source Tools for Enterprise Firewalls at a Glance
As all enterprise security firewall vendors built their solutions upon Linux as an open source operating system it’s interesting to see how this enabled the open source community to create custom open source tools and feature additions.
Check Point’s Toolbox
Check Point offers a Toolbox through its online community, where individuals can exchange a variety of open source resources, including scripts, extensions, customized reports, and additional features for their firewall software. Accessing this Toolbox is straightforward: you can create a complimentary Check Point account.
Showcase: This Linux bash shell script shows comprehensive system information, such as health status, and has an interactive CLI menu to run even complex commands and lengthy one-liners with just a few clicks. It supports all various Check Point system types and has been well-tested by Check Point Professional Services and Check Point partners. Even Check Point’s official training documents and courseware recommend and refer to it.
Check Point also maintains a GitHub repository. Through this repository, Check Point officially shares additional open source scripts and tools for use by partners and customers.
Fortinet’s Developer Network
Fortinet uses a different approach. Partners/customers may request access to Fortinet’s Developer Network FNDN to share their code.
At least two Fortinet employees must approve access to FNDN, and the access level is license-based. Therefore, most Fortinet users share their open source projects via GitHub.
Showcase: The fgt-webui-tools GitHub project extends Fortinet’s FortiGate WebUI and inserts a “Tools” menu. This project researched the most missing FortiGate WebUI features with the help of Fortinet’s online community. Based on this research, the requested features have been provided as a bookmarklet built upon open source JavaScript. A single click on the bookmarklet adds a “Tools” menu to the FortiGate WebUI, which makes the requested features available.
Palo Alto Networks’ pan-os-upgrade Project
Palo Alto Networks offers comprehensive documentation for developers and maintains a GitHub repository. Palo Alto Networks partners and customers typically share their open source projects via GitHub.
Showcase: The pan-os-upgrade GitHub project automates PAN-OS upgrade workflows.
The project provides network administrators and security professionals with an efficient tool to execute configuration backups, network state snapshots, system readiness checks, and operating system upgrades of Palo Alto Networks firewalls and Panorama appliances.
Open Source Firewalls
To start with firewalls on open source yourself, set up an open source firewall inside of a virtual machine (VM). Linux has iptables built-in. More feature-rich open source firewalls are pfSense, OPNsense, and IPFire. Route your network traffic through your VM firewall or configure the firewall as a proxy in your web browser. Start securing your network and application traffic by configuring security profiles and policies within your VM firewall. Have fun!
Conclusion
Linux and open source in general are the foundation for today’s global enterprise firewall security. Security vendors heavily rely on Linux because they can harden and customize it for any purpose and bundle it with their software to provide an out-of-the-box experience for customers where the operating system and the security software operate well together during installation, configuration, upgrade, backup, etc.
About the Author
Danny Jung has been working in the enterprise firewall market for more than 20 years. He conducts firewall security reviews, created many award-winning open source tools for these firewalls, and speaks at annual firewall vendors’ exhibitions. Danny is currently working as a Cyber Security Evangelist at SITS Group.
Besides his passion for IT and open source he’s a husband and father of two. His LinkedIn profile is: https://www.linkedin.com/in/danjun/.